funsec mailing list archives

Previous By Date Next
Previous By Thread Next

RE: UK: Chip and PIN Fraud Hits Lloyds TSB

From: Blanchard_Michael () emc com
Date: Thu, 11 May 2006 14:09:53 -0400
 so a "chip and PIN" card/token/whatever has BOTH the account number and the PIN to access it built in?  That doesn't 
sound safe to me at all.  I'll bet it's RFID like the shell\Mobil tokens too....

  Debit cards are bad enough, but at least they require a PIN number.  


Michael P. Blanchard 
Antivirus / Security Engineer, CISSP, GCIH, CCSA-NGX, MCSE
Office of Information Security & Risk Management 
EMC ² Corporation 
4400 Computer Dr. 
Westboro, MA 01580 


-----Original Message-----
From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org] On Behalf Of Fergie
Sent: Thursday, May 11, 2006 1:38 PM
To: funsec () linuxbox org
Subject: [funsec] UK: Chip and PIN Fraud Hits Lloyds TSB

This is the second instance of Chip and PIN fraud I've
heard this week -- the first was with Royal Dutch Shell,
also in the UK.

Via El Reg.

[snip]

Lloyds TSB has admitted that flaws in the new Chip and PIN system recently introduced for debits cards in the UK open 
up the system to fraud. Conventional fraud may be down because of the system but crooks are still able to use cloned 
debit or credit cards in foreign ATMS.

Instead of authorising debit card transactions by signature Chip and PIN means that customers use a four digit PIN code 
to give the go-ahead to purchases.

Although cloned cards won't have a forged chip the PIN associated with this microchip is the same as that associated 
with a magnetic stripe. Foreign ATMs only read this magnetic strip and not the PIN. So providing fraudsters obtain the 
data on the magnetic strip, along with the associated PIN, they are able to make withdrawals overseas using a 
conventionally cloned card, something that wouldn't work on a UK high street. Delays in identifying foreign ATM cash 
withdrawals as potentially fraudulent are compounding the problem.

[snip]

More:
http://www.theregister.co.uk/2006/05/11/lloyds_tsb_chip_and_pin_fraud/

- ferg


--
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawg () netzero net or fergdawg () sbcglobal net
 ferg's tech blog: http://fergdawg.blogspot.com/


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
Previous By Date Next
Previous By Thread Next

Current thread: